Proxy IdP can release the attribute Entitlement. This attribute is used for specification of particular services when a user has a right for it. His values are defined by agreement between the identity provider and the service provider. It´s consists of:

• A list of groups – where is the user a member and about what the service has an interest
  • Group entitlement (only VO) - value: urn:geant:muni.cz:group:MU#idm.ics.muni.cz
  • Entitlement (only group in VO) - value: urn:geant:cesnet.cz:group:einfra:group1#perun.cesnet.cz

• Resource capabilities – it´s used to indicate rights to resources and is expressed by a URN namespace which is used for representing group membership and role information.
  • Resource capabilities - value: urn:geant:cesnet.cz:res:TestingCapabilitiesValue1#perun.cesnet.cz

• Forwarded entitlement- this attribute is provided by organizations with no possibility of change.
  • Forwarded entitlement - value: urn:geant:muni.cz:group:MU#idm.ics.muni.cz

There is an example of attribute values and its description. The syntax can look like:

urn:geant:cesnet.cz:res:TestingCapabilitiesValue1#perun.cesnet.cz

• urn:geant:cesnet.cz - a prefix which represents a namespace of ProxyIdP
• res:TestingCapabilitiesValue1 - a value
• perun.cesnet.cz - a suffix which represents the authoritative provider of the attribute

1. Find the service which is represented by a facility in the system. You will find it in a board “Facility manager” on the left where is the option “Select facility” .
2. When you chose the facility, you can create a new resource. Just click on „create“.
3. Fill in „name“ and „description“ and „for VO“. In the next step, click on „Finish“.
4. Open the new resource and then the bookmark „service settings“. Here you can set the attribute „resource capabilities“. It has a form res:<RESOURCE>, where <RESOURCE> is submitted by the name of the resource. Then save it.
5. Then ask a manager of VO to assign the group to this resource.